|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #24516 subset open_basedir in .htaccess and block users from opening files
Submitted: 2003-07-06 20:08 UTC Modified: 2010-11-18 23:30 UTC
Avg. Score:4.8 ± 0.4
Reproduced:2 of 3 (66.7%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: mphh at bandignition dot tk Assigned: jani (profile)
Status: Closed Package: Safe Mode/open_basedir
PHP Version: Irrelevant OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: mphh at bandignition dot tk
New email:
PHP Version: OS:


 [2003-07-06 20:08 UTC] mphh at bandignition dot tk
Could someone find a way so that files (i.e., .htaccess, .httpd) could be block from opening by a user and that open_basedir can be set on a per-directory while still enforceing the open_basedir set in .httpd or php.ini.

Reproduce code:
open_basedir = "/usr/home/public_html/"
deny_open_files = ".htaccess,.httpd"

.htaccess (#1):
php_flag open_basedir = "/usr/home/public_html/some/dir/"

.htaccess (#2):
php_flag open_basedir = "/"

$fp=fopen("text.txt", "w");
fwrite($fp, "nice text");
echo "file writing done";

$fp=fopen(".htaccess", "w");
fwrite($fp, "evil code");
echo "evil done";

Expected result:
.htaccess (#1) will work while,
.htaccess (#2) will not.


script1.php will return:
file writing done

and script2.php will return:
Error: fopen(): You are not allowed to open that file for security resons.


php.ini (last revision 2012-01-31 02:17 UTC by webmasterick dot rl at hotmail dot com)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-18 23:30 UTC]
-Status: Open +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: jani
 [2010-11-18 23:30 UTC]
We have user ini support since 5.3.0. Also:

"As of PHP 5.3.0 open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in php.ini a script can tighten the configuration to /www/tmp/ at run-time with ini_set()"
 [2010-11-18 23:30 UTC]
-Package: *General Issues +Package: Safe Mode/open_basedir
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun May 16 10:01:24 2021 UTC